Stored Cross-Site Scripting in WordPress Infinite Scroll – Ajax Load More Plugin
CVE-2026-15295

4.4MEDIUM

What is CVE-2026-15295?

The Infinite Scroll – Ajax Load More plugin for WordPress has a vulnerability that allows authenticated attackers with administrator privileges to perform Stored Cross-Site Scripting (XSS). This occurs through improperly sanitized inputs in the admin settings, which permits the injection of malicious scripts. Once injected, these scripts can execute on pages viewed by users, creating significant security risks, especially in multi-site installations or where the 'unfiltered_html' option is disabled. The issue affects all versions up to and including 7.0.1.

Affected Version(s)

Ajax Load More – Infinite Scroll, Load More, & Lazy Load 0 <= 7.0.1

References

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

afei
.